tracking: save & restore state when suricata restarts
Much requested feature: save state at exit and restore the state when suricata starts up
Relatively easy for some things: flows, stream tracking, but hard for others: stream reassembly, etc.
Updated by Danny Browning about 3 years ago
One approach: * For things we wish to serialize, define them in rust (e.g. https://github.com/OISF/suricata/blob/master/src/flow.h#L325) * Use rust serde (msgpack or rson) to do serialize/deserialize of the state
In attempting to define an approach for this, most methods of doing serde approaches in c/c++ do not have a compatible license, while serde, serde-msgpack, and serde-ron do have compatible licenses.
Previously this approach would not have worked, because rust support was optional, but now that rust is required, defining core structures in rust will not create problems from a compilation/usage standpoint. With serde-derive, we can easily define which attributes we want to store off. One complication is suricata specific structures, such as SC_ATOMIC_DECLARE, and how we would populate the value. For anything not wrapped with suricata specific structures, we could also sub structure it to make serde support easier. Flow could consist of a sub structure FlowSave (name TBD) that is handled with serde.
One other benefit to a more standard format is the ability to "inject" data at portions of the pipeline. For cards doing layer 4 extraction, we may be able to skip acquire and decode.
Updated by Danny Browning almost 3 years ago
Because of the size of this feature, it should be split into smaller, easier to accomplish pieces, such as saving flowbits.
This would provide a proof of concept implementation that could be extended to the harder pieces of suricata to serialize, as additional serialization is warranted.
Updated by Victor Julien about 2 years ago
- Tracker changed from Feature to Task
- Subject changed from save & restore state when suricata restarts to tracking: save & restore state when suricata restarts
- Status changed from Assigned to New
- Assignee changed from Danny Browning to OISF Dev